All Categories
Understanding the underground fraud economy - dark web markets, criminal tools, and how fraud operations are organized
The Criminal Supply Chain
Marcus Chen had been a fraud analyst for three years, but he'd never seen anything like this. A single compromised card had led him down a rabbit hole that changed how he thought about fraud forever.
It started with a chargeback. A customer in Ohio claimed she never made a $47 purchase from an electronics retailer in Miami. Standard stuff. But when Marcus pulled the transaction data, something caught his eye: the shipping address was different from the billing address, and the email domain looked strange. He flagged it and moved on.
A week later, a pattern emerged. Fourteen more chargebacks, all with the same characteristics. Different cards, different cardholders, but all shipping to addresses within a three-mile radius of each other. The email addresses followed a template: random words, underscore, two digits, all at the same obscure domain.
Marcus started digging. The IP addresses traced to residential proxies. The device fingerprints showed virtual machines. The phone numbers used for verification were VoIP. Every piece of data that should have been unique was manufactured.
He wasn't looking at fourteen separate fraudsters. He was looking at one operation using fourteen stolen identities. And somewhere out there was a marketplace that had sold them everything they needed: the card numbers, the personal information to pass verification, the tools to mask their location, and the network of addresses to receive the goods.
This story is fictional, but the patterns are real.
Why This Matters
In the previous articles, you learned about fraud types and how attacks work. But here's what most people miss: modern fraud isn't a solo act. It's a supply chain.
The person who steals your credit card number probably isn't the person who uses it. The hacker who breaches a database probably doesn't know how to cash out. The scammer on the phone probably bought their script from someone else.
Understanding this ecosystem matters because it explains why fraud keeps growing despite better security. When one operation gets shut down, the suppliers just find new customers. When one vulnerability gets patched, the toolmakers adapt. The infrastructure persists even as individual actors come and go.
The Criminal Marketplace Ecosystem
How the Markets Work
Criminal marketplaces operate like any e-commerce site. They have storefronts, product listings, customer reviews, escrow services, and even customer support.
In June 2025, U.S. authorities seized approximately 145 domains belonging to BidenCash, a marketplace that had been operating since 2022. The numbers tell the story of an organized business: over 117,000 customers, more than 15 million payment card numbers traded, and over $17 million in revenue.[1]
BidenCash wasn't unusual in its structure. It was unusual only in getting caught.
These markets typically offer:
| Category | What's Sold | How It's Used |
|---|---|---|
| Payment data | Stolen card numbers with CVV | Direct purchases or resale |
| Fullz | Complete identity packages (SSN, DOB, address) | Account opening, loan fraud |
| Account access | Login credentials, session tokens | Account takeover |
| Tools | Checkers, proxies, fake ID templates | Operational support |
| Services | Money laundering, cash-out crews | Monetization |
The Price of Stolen Data
Pricing follows supply and demand, just like legitimate markets. A basic U.S. credit card number with CVV runs $10 to $40. Cards with high limits (over $5,000) fetch $110 to $120. Bank login credentials cost $200 to $1,000 or more, depending on the account balance.[2]
"Fullz" packages, which include name, Social Security number, date of birth, and sometimes a driver's license scan, sell for $20 to $100 or more. The more complete the package, the more fraud it enables.
Fresh data commands a premium. Immediately after a major breach, high-quality records sell at top prices. But the market floods quickly. Within weeks, those same records become a low-cost commodity as thousands of copies circulate.
The Specialization Economy
What makes criminal infrastructure so resilient is specialization. Each role in the supply chain focuses on what they do best.
Data suppliers harvest stolen credentials through breaches, phishing, skimming devices, or infostealer malware. They sell raw data in bulk.
Processors take raw data and enrich it. They run card numbers through "checkers" to verify which ones still work. They match partial records to build complete identity profiles. They package data for specific use cases.
Tool makers build the technology. Proxy networks that mask location. Virtual machine configurations that evade device fingerprinting. Bots that automate account creation. Templates for fake identity documents.
Operators execute the fraud. Some specialize in card-not-present purchases. Others run social engineering campaigns. Some coordinate networks of money mules to move funds.
Cash-out specialists turn stolen value into spendable money. This might involve purchasing gift cards, buying and reselling merchandise, converting cryptocurrency, or running funds through shell companies.
No single person needs to master every skill. The marketplace connects specialists, each taking a cut of the final profit.
Money Movement Infrastructure
Getting money out is often the hardest part. Stolen card numbers are worthless if you can't convert them to cash.
Common cash-out methods include:
Reshipping networks: Operators purchase goods with stolen cards and ship them to "drops," addresses controlled by money mules who forward packages overseas. The mules often don't know they're participating in fraud.
Gift card laundering: Purchase gift cards online, sell them on secondary markets at a discount. The buyer gets a bargain; the seller converts stolen payment credentials into untraceable cash.
Cryptocurrency mixing: Convert stolen funds to cryptocurrency, run them through "mixers" or "tumblers" that blend transactions to obscure the source, then cash out through exchanges with weak verification.
High-risk merchant accounts: Some merchants knowingly or unknowingly process fraudulent transactions. The funds settle to a bank account before chargebacks arrive, then disappear.
The Role of Platforms
Until recently, criminal marketplaces operated primarily on the dark web, requiring specialized software to access. That's changing.
Telegram has become a major hub for fraud services. Channels advertise stolen data, hacking services, and fraud tools. The platform's perceived privacy and ease of use make it attractive, though Telegram has stepped up enforcement in response to pressure.
Huione Guarantee, operating under a Cambodian financial conglomerate, aggregates Telegram channels offering everything from stolen personal data to money laundering services and deepfake tools.[3] Cambodia's National Bank revoked its banking license in March 2025 following international pressure.
The platforms shift, but the infrastructure adapts. When one channel gets shut down, operators move to another. When one marketplace gets seized, competitors absorb its customer base.
Understanding Scale
The FBI's Internet Crime Complaint Center reported $16.6 billion in cybercrime losses in 2024, with fraud accounting for $13.7 billion of that total.[4] Cryptocurrency-related fraud alone reached $9.3 billion, a 66% increase from 2023.
These numbers only capture reported losses in the United States. Global estimates are harder to pin down, but industry reports suggest fraud costs exceed $1 trillion annually.
The scale explains why the infrastructure persists. With that much money flowing, there's enormous incentive to innovate, specialize, and professionalize.
Key Takeaways
- Fraud operates as a supply chain with specialized roles: data suppliers, tool makers, operators, and cash-out specialists
- Criminal marketplaces function like legitimate e-commerce, with storefronts, reviews, escrow, and support
- Stolen data pricing follows supply and demand; fresh data commands premiums while breached records become commodities
- The infrastructure's resilience comes from specialization; shutting down one actor doesn't disrupt the supply chain
- Platforms shift from dark web to Telegram to gray-market hubs, but the underlying economy adapts
Key Terms
| Term | Definition |
|---|---|
| Carding | Using stolen payment card data for unauthorized purchases |
| Fullz | Complete identity package including name, SSN, DOB, and often more |
| Checker | Tool that tests stolen card numbers to verify which are still active |
| Drop | Address used to receive goods purchased with stolen credentials |
| Money mule | Person who moves fraudulent funds, often unknowingly |
| Escrow | Third-party service holding payment until buyer confirms goods |
| Mixer/Tumbler | Service that blends cryptocurrency transactions to obscure origins |
| Proxy | Server that masks the user's real IP address and location |
| Infostealer | Malware that harvests credentials and personal data from infected devices |
| Cash-out | Converting stolen value (cards, credentials, access) into spendable money |
References
1. BleepingComputer: BidenCash carding market domains seized in international operation↗ (June 2025)
2. DeepStrike: Dark Web Data Pricing 2025↗
3. Recorded Future: How Huione Marketplace Fuels Global Cyber Fraud↗
4. FBI Internet Crime Complaint Center: 2024 Annual Report↗
Generated with AI assistance. Reviewed by humans for accuracy.
Test Your Knowledge
Ready to test what you've learned? Take the quiz to reinforce your understanding.